April 5, 2012

Which are more secure, virtual or physical desktops?

Not everything that happens in Vegas stays in Vegas. My laptop picked up the Secure Shield Virus at VMware Partner Exchange, and I ended up sending it back to Corporate IT for reimaging.

A virtual desktop (vDT) does not prevent laptop malware infection – at least not if local browsing is permitted, but it does leave a user’s corporate desktop unimpaired. Not withstanding this example of the type of security benefits vDTs can provide, a debate continues as to whether or not virtual desktops are on a whole more secure than their physical counterparts.

Gaps in Physical Desktop Security

Security requires both IT visibility and control, but these capabilities diminish once a corporate laptop leaves the building and is no longer on the network or Wi-Fi. The device becomes susceptible to malware, can become a gateway to the corporate network and can be lost or stolen along with sensitive organizational information.

Data breaches, whether on a stolen laptop or on a hacked remote office server or desktop can be very costly to organizations to remediate, and they can create irreparable damage to corporate brands and reputations. Computer encryption is touted as the solution, but in practice only 1/3rd of laptops are encrypted according to a 2009 Ponemon Institute study. Encryption software costs money, must be managed and can make the user experience less productive.

BYOD exacerbates security challenges by making it difficult to monitor whether or not employees are conforming with organizational policies and regulatory requirements. A jailbroken iPhone, for example, is particularly vulnerable to attack. Litigation can lead to discovery and forensic review which then raises privacy issues as employers gain access to employee personal information and Web viewing habits.

VDI Benefits

By virtual desktops, I mean the centrally hosted variety as part of VDI (Virtual Desktop Infrastructure). The vDTs are housed, administered and backed up in data centers – regardless of access. This centralized model is more easily managed than a distributed environment where users can download applications and store corporate data on their local machines.

Technologies such as VMware OffLine or Citrix XenClient allow for local instances of virtual desktops, but centralized control is lessened as VMs and/or data now travel back and forth between local devices and the data center. Some users demand access to corporate information when data center connectivity is unavailable, such as when flying. But rather than make exceptions to a centralized desktop computing model, users can work on other tasks during the flight, or to book aircraft providing Wi-Fi.

VDI enables desktop control similar to the mainframe and VAX days when applications were accessed via dumb terminals, except that users can create Excel reports in minutes rather than wait for months in an MIS Queue. And, of course, users can securely access their vDTs from almost any type of device whether PC, Mac, Zero-client terminal, tablet or Smart Phone.

Virtual desktop session recording enhances IT visibility into user level activities and can provide an audit trail showing both who is accessing senstitive corporate information and how it is being accessed. IT can prove, for example, that a solen laptop never had access to senstitive information thereby negating the onerous requirement to notify customers of a potential breach.

The VMware View and Citrix Xen Desktop connection brokers provide useful information such as IP addresses, connection times, and whether or not a USB stick was plugged in and, if so, what type. Connection broker policies can be set to disable copy & paste and printing. They can also prevent mappings of USB devices or local drives to the virtual machine, thereby making it difficult to extract corporate data.

Additional tools enable further protection. VMware vShield, for example, can wrap around a VM to prevent malware from coming in. Varonis provides log-on information about files opened, Web sites hit, etc. Tools from RSA can scan the copy/paste buffer and then flush it if it sensitive information is detected. RSA Envision produces a report of access to all sensitive information.

One of the most compelling VDI benefits is the elimination of common BYOD concerns surrounding security and privacy issues. As an example, IT no longer needs to be able to remote wipe a personal device in the event it is lost or stolen. The employee’s corporate desktop and data continue to reside securely in the data center; a simple password change prevents unauthorized access.

VDI Risks

On the downside, VDI, as Brian Madden points out in a April, 2010 SearchVirtualDesktop article, “moves your unpredictable users from out in the field into your data center.” The article goes on to provide some good practices for addressing this risk.

VDI also can mean increased susceptibility to a single point of attack since all vDTs run on a data center hypervisor. Once past the perimiter, a skilled hacker can get access to the IP addresses of the other VMs. A product such as VMware vShield can mitigate this risk by creating a firewall allowing VMs on the same desktop pool to speak with designated resources, but not with each other. Today’s version of vShield requires substantial effort to set up the rule, though tighter integration at the VMware View level should be able to largely automate the process.

So is a Virtual Desktop More Secure than the Physical Version?

Virtual desktops, out of the box, may not be more secure than a well-managed physical desktop environment; however, in my experience this type of environment is uncommon. Physical desktops demand significant IT resources for provisioning, image management, upgrades, patches and for desk side troubleshooting service; security often lacks the attention it should have.

In not-so-well-managed environments, just the process of centralizing desktops and data is, on balance, going to be more secure. Virtual desktops, unlike the physical varieties, are not susceptible to loss, theft or physical attack. Hackers are limited to keylogging and screen scraping, and third-party tools can help minimize these risks. VDI can also potentially reduce risks of access/attack and regulatory noncompliance of remote office servers and desktops by virtualizing and consolidating them back to the data center as part of a VDI architecture.

Even well-managed physical desktops do not offer the control and visibility options available with VDI, and they lack the advantage of a much more flexible virtual environment. IT, for example, can address HR security concerns by providing each HR employee with two vDTs: The first prohibits access to a sensitive HR application while the second only allows access to the designated application and prevents Internet browsing.

VDI cannot guarantee data security – employees can perform malicious acts such as taking pictures of their screens. But VDI does enable IT to piece together the big picture with a forensic approach determining when the user was logged in, what was accessed and how long it was on the screen.

IT Staff Resources

Attempting to tighten down the physical desktop environment is not only costly, but can create user satisfaction and productivity issues as well. VDI eliminates the need for desktop upgrades while slashing administrative and troubleshooting requirements. IT has more resources to devote to security as well as to integrating vDTs into an overall IT-as-a-Service strategy for making their organizations more innovative, efficient and competitive.

Huge thanks to Mike Foley (@mikefoley) of RSA and to Andre Leibovici (@andreleibovici) of VMware for their assistance with this article. Please see some of Foley's direct thoughts on this topic below.

Comments

You can follow this conversation by subscribing to the comment feed for this post.

14 Responses to Which are more secure, virtual or physical desktops?

Physical desktops: they live everywhere. Littered about the world like the forgotten detritus of a failed empire. Managing and maintaining them largely requires installing things on the physical desktops themselves, maintaining them individually and collecting metrics and diagnostic information on these various pieces of gear from all across hell’s half acre.
Virtual desktops: they live in one place. Wholly removing the argument about “easier to maintain hardware and software if it’s all in one place,” let’s get to the real meat of it. If this stuff lives in one place, I no longer have to baby the endpoints. I can stop managing the BOX and start managing the BAND.
In a VDI world, I don’t have to play nursemaid to every browser, plug-in, application and idiot user in the entire world. I just slap a monster IDS on the network and filter the ever-lovin’ crap out of every packet that goes anywhere. Scan the storage. Scan the edge network. Sample the inter-system communication at random and look for anything suspicious.
This is cost prohibitive in a physical desktop world, but easy and cheap in a VDI environment.
So which is more secure? Neither. It depends entirely on which tools and expertise you have available to you. If I was building a network from scratch, I would build it VDI, because I like simple and robust. Managing the band instead of many – many – boxes is far simpler to me.
If you have millions of dollars worth of investment in – and a cadre of trained support staff for – managing the box, then moving to manage the band is ridiculous.
Horses for courses, and your mileage will vary as a consequence of the starting position you occupy.

I don’t care which way you cut it: While putting a desktop in the datacenter may reduce the attack surface, it does so at the cost of bringing the battle closer to the your most sensitive assets. Allow me to quote from a comment I recently made in my blog ( http://blogs.bromium.com/2012/04/04/vdiaas-is-a-pain-in-the-aas/#comment-77 ):
“Think of your sensitive information in the context of treasure – your datacenter as your castle, and think of malware as barbarians rushing your castle to get at the treasure. Do you want to fight the barbarians outside the castle walls or inside the castle walls? Yes, your fortifications may be more concentrated and acute inside the castle walls, but damn.. All it takes is for one guard to make a single mistake and the barbarians are footsteps away from your treasure. Whereas outside the gates, yes – the likelihood of the villager’s compromise is greater than a knight’s but they are compromised outside the castle where the barbarian’s gain on the treasure is significantly less so than were they inside the castle walls.
So the security delta between TS and VDI is insignificant to me because both solutions bring the fight within the castle walls and my premise is that even if the desktop may be less secure outside of the datacenter, it is still a smaller security risk than a desktop inside the datacenter because it only takes one person making one mistake to bring the attack too close for comfort.
You will get hacked. This is not a possibility, it’s a certainty. Design your security strategy with this in mind and you will see the world through my eyes.
Think less about the desktop and more about how best to make it as difficult as possible for malware to get close to your sensitive information once compromised has already happened.”

Tal,
I completely agree with you that the treasure needs to be guarded either way. It’s my contention that you have a lot more options when it’s all stored behind the castle walls rather than dispersed in nooks and cranies throughout the kingdom.

My perspective on it is that if I have to contend with a compromised desktop. That is we start off with the assumption that regardless if the desktop is physical or virtual, it will get hacked, then I’d prefer that desktop to be outside my datacenter.

Tal, despite my post – I am in no way a security expert or even a security wannabe. I just did some research to answer a question I’ve been pondering some time. But your comment seems to imply that someone can hack a data center (virtual) desktop as easily as a distributed physical desktop. Perhaps it would be true if vDTs are just set up “out of the box”. But when deploying the myriad tools and configuration options available for a centralized model, wouldn’t you agree that the virtual desktop is going to be more resistent to attack?

No. The ease of hacking a virtual desktop vs. a physical desktop is not what we’re talking about. What we’re talking about is the assumption that either type of desktop will eventually get hacked. If we make the following assumptions:
1. Undetectable malware exists
2. It propagates through whitelisted apps
Your desktop – physical or virtual – cannot prevent such an attack. It cannot detect the undetectable, and it cannot prevent it from executing because it propagated via a whitelisted application. Therefor we must assume that all desktops are vulnerable, regardless if some are more volunerable than others, the question we must ask ourselves is:
Which desktop, when compromised, leaves my company most exposed?

For all Tal’s talk about Barbarians at the gates, he completely ignores the fact that most people using VDI for cybersec purposes deliberately host their internet facing desktops outside of their primary DC and most often with a third party provider.
He does not understand VDI or DaaS, I have no idea why the man is commenting on this so much, I can only think its because we proved as much on his own blog.
Tal says “regardless if the desktop is physical or virtual, it will get hacked, then I’d prefer that desktop to be outside my datacenter.”
Thats why DaaS for cybersec exists Tal, so those desktops are not in your DC.
Stop talking FUD.

It is common to think that because a desktop service (shared, or hosted) is in the datacentre then it is more secure – or at least, less risky, than having a distributed environment.
Can I suggest having a read of Ed’s excellent article http://www.virtualizationpractice.com/a-vdi-desktop-is-no-more-secure-than-a-standard-desktop-13714/ and a listen to the podcast & BrightTalk presentation? Those resources work together to present a compelling argument for not being overly complacent about a centralised environment and talking around the question you’ve posed.
I think the most important point is “there are lots of tools to protect an data and applications” – but those tools are *additional* to all services. As Trevor mentions – none of the services are inherently secure in their own right. “Slap a monster IDS in” .. could do that with a set of desktops tbh: it then is a difference on management preference and management isn’t security.
But anyways, check out Ed’s blog and his presentation – a good intro and guide I think to the questions you’ve posed.
hth
a.

I completely agree with Guise…
Sorry Tal, but I tend to believe that you have never been part of a large scale VDI or DaaS deployment, otherwise you would know that virtual desktops and the whole infrastructure supporting the environment is often built completely apart for core datacenter systems. Sometimes even in different physical data centers.
Yes, all desktops are hackable, being virtual or physical. However, the ability to implement security features such as IDS, application and packet analysis tools, or just to leave open network ports required to the applications will help mitigate intrusion and increase detection.
If you have a poorly managed VDI environment it will provide no security benefits compared to a poorly managed physical environment, however if you have a properly architected and managed VDI environment it will provide additional security and control that you don’t easily get on physical environment.
Major government agencies are all using VDI to control access to in-confidence data where the data can only be accessed by VDI sessions because the data lives in a completely different datacenter and storage set not accessible via physical desktops. That’s yet another security layer that VDI adds that is not possible with physical desktops unless you have multiple network switch ports configured for different subnets. Or you are going to argument that VNC is a viable solution?!
Sorry, but VDI does promote additional security layer when properly architected, deployed and managed.
Andre Leibovici

Andre – a few things
“Yes, all desktops are hackable, being virtual or physical. However, the ability to implement security features such as IDS, application and packet analysis tools, or just to leave open network ports required to the applications will help mitigate intrusion and increase detection”
But you can put all that stuff in place in front of your sensitive corporate assets (which are all in the datacentre right?). Treat the desktop as untrusted, whatever deployment model you choose and secure your data. And a lot of the conversation above is all about trying to mitigate this stuff at the network layer – even in VDI that soon becomes unwieldy, and is largely trying to impose last decades solutions when they haven’t really worked that well anyway. A defense in depth strategy will of course consider the network, but you’ve still got to have protection at all layers.
“Sorry, but VDI does promote additional security layer when properly architected, deployed and managed.”
But if you properly architect, deploy and manage a standard desktop, you’ll get that same benefit. The problem people are tying to solve with VDI is that they don’t want to invest in securing their desktop, but in typical IT fashion see new shiny objects in VDI and invest in that. They of course completely ignore that the large majority of improvements they will get from VDI come from being well managed & architected, not from VDI.
(Disclaimer: I work for Microsoft, but these are my own opinions, not those of my employer)

The first thing which comes in a mind is physical desktops, but nowadays the VM also developed with more secured features. Normally the expenditure and priority is high for virtual machines, since of accessing multiple servers at a time. Thanks for sharing the nice article.

1. Andre – I’m happy to put my VDI implementation experience against your own. Anytime you’d like to compare credentials and deployments, I’m your huckleberry.
2. Putting VDI desktops outside of your datacenter is an even bigger mess. If you’ve got those sort of capital and liquidity resources – you’re better off spending them tightening up your existing desktop framework and focusing on remote apps and policy enforcement. As Stu astutely said – you could gain the same lauded benefits by simply spending the money focusing on re-architecting standard desktops.
3. Outsourcing VDI makes the assumption that you can quantify end-user experience under SLA. Such VDI deployments will entice the user to look outside of them in search of productivity which transforms your deployment into a hybrid one as the user adds their own devices to the mix for direct access to resources, the security ramification of which you can choose to ignore at your own peril.

Tal,
I’m sorry if I offended you and for that I apologize.
I guess the best way out for this discussion is to provide customers with all possible options (physical desktops, VDI, RDS etc…) and let organizations and the market decide what’s best for them.
There will always be a winner solution with higher adoption at the end of the day, even if the winner is a winner for the wrong reasons (BETA vs. VHS, PC vs. MAC, JAVA vs. Ruby, IOS vs. Android etc…).
Andre